<!DOCTYPE html>
<html>
<head>
  <title>Embedded Enforcement: Sec-Required-CSP header.</title>
  <!--
    This test is creating and navigating >=70 iframes. This can exceed the
    "short" timeout". See https://crbug.com/818324
  -->
  <meta name="timeout" content="long">

  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="support/testharness-helper.sub.js"></script>
</head>
<body>
  <script>
    var tests = [
      { "name": "Sec-Required-CSP is not sent if `csp` attribute is not set on <iframe>.",
        "csp": null,
        "expected":  null },
      { "name": "Send Sec-Required-CSP when `csp` attribute of <iframe> is not empty.",
        "csp": "script-src 'unsafe-inline'",
        "expected":  "script-src 'unsafe-inline'" },
      { "name": "Send Sec-Required-CSP Header on change of `src` attribute on iframe.",
        "csp": "script-src 'unsafe-inline'",
        "expected":  "script-src 'unsafe-inline'" },
      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - gibberish csp",
        "csp": "completely wrong csp",
        "expected": "completely wrong csp" },
      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name",
        "csp": "invalid-policy-name http://example.com",
        "expected": "invalid-policy-name http://example.com" },
      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - unknown policy name in multiple directives",
        "csp": "media-src http://example.com; invalid-policy-name http://example.com",
        "expected": "media-src http://example.com; invalid-policy-name http://example.com" },
      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - misspeled 'none'",
        "csp": "media-src 'non'",
        "expected": "media-src 'non'" },
      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - query values in path",
        "csp": "script-src 'unsafe-inline' 127.0.0.1:8000/path?query=string",
        "expected": "script-src 'unsafe-inline' 127.0.0.1:8000/path?query=string" },
      { "name": "Wrong but allowed value of `csp` should still trigger sending Sec-Required-CSP Header - missing semicolon",
        "csp": "script-src 'unsafe-inline' 'self' object-src 'self' style-src *",
        "expected": "script-src 'unsafe-inline' 'self' object-src 'self' style-src *" },
      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - comma separated",
        "csp": "script-src 'unsafe-inline' 'self', object-src 'none'",
        "expected": null },
      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid characters in directive names",
        // script-src 127.0.0.1:8000
        "csp": "script-src 'unsafe-inline' &#x31;&#x32;&#x37;&#x2E;&#x30;&#x2E;&#x30;&#x2E;&#x31;&#x3A;&#x38;&#x30;&#x30;&#x30;",
        "expected": null },
      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - invalid character in directive name",
        // script-src 127.0.0.1:8000
        "csp": "media-src%20127.0.0.1%3A8000",
        "expected": null },
      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-uri present",
        "csp": "script-src 'unsafe-inline'; report-uri resources/dummy-report.php",
        "expected": null },
      { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present",
        "csp": "script-src 'unsafe-inline'; report-to resources/dummy-report.php",
        "expected": null },
    ];

    tests.forEach(test => {
      async_test(t =>  {
        var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
        assert_required_csp(t, url, test.csp, [test.expected]);
      }, "Test same origin: " + test.name);

      async_test(t => {
        var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
        var redirect_url = generateRedirect(Host.SAME_ORIGIN, url);
        assert_required_csp(t, redirect_url, test.csp, [test.expected]);
      }, "Test same origin redirect: " + test.name);

      async_test(t => {
        var url = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
        var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url);
        assert_required_csp(t, redirect_url, test.csp, [test.expected]);
      }, "Test cross origin redirect: " + test.name);

      async_test(t => {
        var url = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP);
        var redirect_url = generateRedirect(Host.CROSS_ORIGIN, url);
        assert_required_csp(t, redirect_url, test.csp, [test.expected]);
      }, "Test cross origin redirect of cross origin iframe: " + test.name);

      async_test(t => {
        var i = document.createElement('iframe');
        if (test.csp)
          i.csp = test.csp;
        i.src = generateURLString(Host.SAME_ORIGIN, PolicyHeader.REQUIRED_CSP);
        var loaded = false;

        window.addEventListener('message', t.step_func(e => {
          if (e.source != i.contentWindow || !('required_csp' in e.data))
              return;
          if (!loaded) {
            assert_equals(e.data['required_csp'], test.expected);
            loaded = true;
            i.csp = "default-src 'unsafe-inline'";
            i.src = generateURLString(Host.CROSS_ORIGIN, PolicyHeader.REQUIRED_CSP);
          } else {
            // Once iframe has loaded, check that on change of `src` attribute
            // Required-CSP value is based on latest `csp` attribute value.
            assert_equals(e.data['required_csp'], "default-src 'unsafe-inline'");
            t.done();
          }
        }));

        document.body.appendChild(i);
      }, "Test Required-CSP value on `csp` change: " + test.name);
    });
  </script>
</body>
</html>
